Pakistan Hit by Targeted Attacks

Monday, May 20, 2013 @ 01:05 PM gHale

A family of information-stealing malware targeting Pakistan looks like it is coming out of India.

Unlike other known cyber espionage campaigns, this one appears oddly rudimentary in that it uses publicly available tools and basic obfuscation methods, and doesn’t encrypt its command-and-control communications, according to researchers at Eset, which posted its analysis of the malware and attack.

“String obfuscation using simple rotation (a shift cipher), no cryptography used in network communication, persistence achieved through the startup menu and use of existing, publicly-available tools to gather information on infected systems shows that the attackers did not go to great lengths to cover their tracks. On the other hand, maybe they see no need to implement stealthier techniques because the simple ways still work,” said Jean-Ian Boutin, a malware researcher with Eset.

The malware campaign is at least two years old and spreads via phishing emails with rigged Word and PDF files, according to Eset. It steals sensitive information via keyloggers, screenshots, and uploading stolen documents, unencrypted. “The decision not to use encryption is puzzling considering that adding basic encryption would be easy and provide additional stealth to the operation,” Boutin said.

The attack uses a code-signing certificate issued in 2011 to a New Delhi, India-based Technical and Commercial Consulting Pvt. Ltd., and it ensures the malware binaries could spread within the victim organization. The certificate ended up revoked in late March 2012, but was still in use. Eset contacted VeriSign, which revoked the certificate. Eset found more than 70 binary files signed with the malicious certificate.

Among the attachments was one that appears to be about Indian military secrets. “We do not have precise information as to which individuals or organizations were really specifically targeted by these files, but based on our investigations, it is our assumption that people and institutions in Pakistan were targeted,” Boutin said.

Nearly 80 percent of the infections are in Pakistan, according to Eset. One version of the attack exploits a known and patched Microsoft Office flaw, CVE-2012-0158. The malware executes once the victim opens a malicious Word attachment; the other method used in the attack uses PE files that appear to be Word or PDF attachments.

The attackers used NirSoft’s WebPassView and Mail PassView tools for recovering passwords in email clients and browser stores; the tools ended up signed by the malicious cert.